2013 Global Security Report

2012 Application Security Trends

Cloud-based application deployments continue to grow in popularity but introduce no fundamentally new application challenges. Rather, the security difficulties are policy- and procedure-driven, not technical. In traditional application architecture, security roles and responsibilities are typically well-understood, but many organizations fail to document those responsibilities when transitioning to a cloud environment. As a result, internal stakeholders may incorrectly assume that security roles are covered. This is even more pronounced when the cloud is managed by an external provider.

Top 10 Application Vulnerabilities

The top 10 application vulnerabilities were determined by combining vulnerability risk with frequency of observation. In addition to ranking top vulnerabilities, percentages of applications that contain at least one instance of the vulnerability are also documented. In the end, an application needs to have only a single instance of a significant flaw to result in a full compromise.

These results are based on a sample of applications that underwent penetration tests conducted by Trustwave SpiderLabs

Attack Scenarios

Two general approaches to exploiting weak application security are attack the server directly (SQL injection, logic flaws, IDOR, etc.) or send attacks through the user (XSS, CSRF, etc.). Attacking the application server directly is by far the most common scenario because it allows for bulk data extraction and simultaneous compromise of many accounts.

Some user-oriented vulnerabilities, chiefly persistent XSS, can allow for a single attack to be launched simultaneously against many users. If the users have access to sufficiently valuable data, this can also be a viable scenario.

New technologies (or new ways of using old technologies) are always likely to bring in a new wave of vulnerabilities, though. For example, various NoSQL solutions have been increasing in popularity as more applications start to handle massive amounts of data.

Also, HTML5 has potential to impact application security, both on the client and server sides. Web applications have historically been modeled on thin clients with data/logic on the server and superficial presentation performed in the browser. That began to change when rich Internet applications (RIAs) introduced more complex presentation logic to the browser. HTML5 applications that use local storage APIs must contend with a variety of security issues far more complex than those presented by the comparatively simple browser cache directives